[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 664
  • Last Modified:

Citrix receiver PNAgent URL enumerates apps when not connected to domain, how?

Hello there,

When I have my laptop connected to wifi network at home or in train during travel, the Citrix Receiver with server address pointing to https://mycompanyname/citrix/pnagent/citrix.xml, can enumerate apps and deskops, even though I am not connected to my company's network.

How is this possible? How is the communication happening?

Am I missing anything here, that I am not understanding.

Please advise.

Thanks and Regards
0
goprasad
Asked:
goprasad
  • 3
  • 2
1 Solution
 
RizzleCommented:
Hi,

The applications may enumerating under a cached setting, what happens when you actually click on one?

I remember seeing this was once and the user could see their applications (Cached) but couldn't actually do anything with them.

Do you have Storefront in your environment?
0
 
RizzleCommented:
Unless the Citrix Receiver is pointing to the CAG in your environment?
0
 
Dirk KotteSECommented:
is "mycompanyname" reacheble from the internet?
can you open https://mycompanyname/citrix/pnagent/citrix.xml within a browser and see  an XML output?

btw, the url should be the following:
https://mycompanyname/citrix/pnagent/config.xml
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
goprasadAuthor Commented:
when i browse to mycompanyname in browser, I get an XML output.

And yes URL should end with config.xml
0
 
RizzleCommented:
You didn't answer my questions?
0
 
Dirk KotteSECommented:
Ok, seems you company publish the apps to the internet also.
There are different options how to accomplish this ... some secure , some not.
Your company may use a SSL gateway like CitrixAccessGateway (CAG), netscaler gateway or CitrixSecureGateway .
Also possible (but not secure) is to publish the webinterface-IIS directly using NAT at the firewall.

The first options are common and you should not  be surprised as a user.
if you are the responsible person for this environment or a security officer you should check this ;-)

and now the HOW:
your receiver connects to the published PNA-Site, receive the xml file you have seen already, send your authentication data (manually entered or from your session if pass-through is enabled) and the receiver gain access to your applications. Thats all.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now